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Response to Arguments 

1. This communication is in response to applicants' amendment received on August 
16, 2005. 

2. Amendments to claims 1-7, 11, 14, 17 and 21 are acknowledged. 

3. Addition of new claims 31-39 are acknowledged. 

3. Applicant's arguments with respect to the rejections of claims 1-7, 1 1-17 and 21- 
27 under 35 USC § 102 have been fully considered and are persuasive. Therefore, the 
rejections have been withdrawn. However, upon further consideration, a new ground(s) 
of rejection necessitated due to applicants amendment of claims. 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another filed in the 
United States before the invention thereof by the applicant for patent, or on an international application 
by another who has fulfilled the requirements of paragraphs (1), (2), and (4) of section 371 (c) of this 
title before the invention thereof by the applicant for patent. 

The changes made to 35 U.S.C. 102(e) by the American Inventors Protection Act 
of 1999 (AlPA) and the Intellectual Property and High Technology Technical 
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Amendments Act of 2002 do not apply when the reference is a U.S. patent resulting 
directly or indirectly from an international application filed before November 29, 2000. 
Therefore, the prior art date of the reference is determined under 35 U.S.C. 102(e) prior 
to the amendment by the AlPA (pre-AlPA 35 U.S.C. 102(e)). 

Claims 1-7, 11-17 and 21-27 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Porras et al. (6,321,338 B1; hereinafter Porras). 

Regarding claims 1,11 and 21, Porras discloses: 

in a first correlation server in a hierarchy of correlation server, logging events by 
storing event attributes as an event set, wherein each event set includes a source 
attribute, a target attribute and an event category attribute (see for example, col. 2, lines 
1-10; col. 3, lines 15-41; col. 3, lines 55-65; col. 5, lines 15-64, where the source and 
destination addresses are the attributes); 

classifying events as groups by aggregating events with at least one attribute 
within the event set as an identical value (see for example, col. 5, lines 15-64; col. 7, 
lines 5-23, where the source and destination addresses are the attributes); 

calculating a respective severity level for each of the groups (see, for example, 
col. 6, line 52-col. 7, line 3, where the distribution of recently observed values 
corresponds to the recited calculating a respective severity level); 

calculating a delta severity for each group from the respective severity level and 
a respective prior severity level (see, for example, col. 6, line 52-col. 7, line 3, where 
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obtaining a score of the event which is an indication of deviation between the short- 
ternri and long-term profiles values related to the event corresponds to the recited 
calculating a delta severity); and 

for each group having non-zero delta severity, propagating the respective delta 
severity to a higher-level correlation server (see, for example, col. 4, lines 61-65; col. 5, 
lines 30-36; col. 6, line 52-col. 7, line 3; col. 7, lines 4-30, where score threshold 
corresponds to the recited non-zero delta severity which is being transmitted to the 
network monitor that corresponds to the recited a higher-level correlation server). 
Regarding claims 2, 12 and 22, Porras discloses: 

The computer-implemented method of claim 1 , wherein the severity levels are 
calculated based on at least one of the number of event sets within each of the groups, 
the source attribute of the event sets within each of the groups, the target attribute of 
the event sets within each of the groups, and the event category attribute of the event 
sets within each of the groups (see, for example, col. 5, lines 4-64). 

Regarding claims 3, 13 and 23, Porras discloses: 

The computer-implemented method of claim 1 , wherein the events include at 
least one of a web server event, an electronic mail event, a Trojan horse, denial of 
service, a virus, a network event, an authentication failure, and an access violation (see, 
for example, col. 4, lines 31-47; col. 5, lines 25-30). 

Regarding claims 4, 14 and 24, Porras discloses: 
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The computer-implemented method of claim 1, further comprising: 
calculating the threshold value based on at least one of the source attribute of 
the event sets within the group, the target attribute of the event sets within the group, 
the event category attribute in each event set of the group, and the number of attributes 
in each event set of the group that are held constant across all of the event sets in the 
group (see, for example, col. 5, lines 4-64; col. 6, line 52-coL 7, line 3). 
Regarding claims 5, 15 and 25, Porras discloses: 

The computer-implemented method of claim 1 , wherein the target attribute 
represents one of a computer and a collection of computers (see, for example, col. 1 , 
lines 36-41; col. 2, lines 45-50; col. 5, lines 10-15). 

Regarding claims 6, 16 and 26, Porras discloses: 

The computer-implemented method of claim 1, wherein the source attribute 
represents one of a computer and a collection of computers (see, for example, col. 1 , 
lines 36-41; col. 2, lines 45-50; col. 4, line 61 -col. 5, line 10-15). 

Regarding claims 7, 17 and 27, Porras discloses: 

The computer-implemented method of claim 1, further comprising: aggregating a 
subset of the groups into a combined group (see, for example, col. 7, lines 16-23). 
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Allowable Subject Matter 

Claims 31-39 are objected to as being dependent upon a rejected base claim, 
but would be allowable if rewritten in independent form including all of the limitations of 
the base claim and any intervening claims. 

Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

US Patent No. 6,779,031 B1 to Picher-Dempsey. 

US Patent Pub. No. 2002/0019945 A1 to Houston et al. 

Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
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the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Abdulhakim Nobahar whose telephone number is 571- 
272-3808. The examiner can normally be reached on M-T 8-6. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 



Abdulhakim Nobahar 
Examiner ^ 
Art Unit 2132 /CL 
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